When running the following code snippet logged in as a simple user i expose my entire organisation emails etc.
I’d like to restrict what a regular user can get from the Microsoft Graph API (i.e only see the logged in user).
import os
from azure.identity import InteractiveBrowserCredential
from msgraph.core import GraphClient
credential = InteractiveBrowserCredential()
client = GraphClient(credential=credential)
result = client.get('/users')
print(result.json())
Thanks for your help
Cheers
T
2
Answers
Being able to view other users’ profiles is part of a member user’s default permissions (see What are the default user permissions in Azure Active Directory?). This capability is used by many of Microsoft’s own apps and services (e.g. the address book in Outlook, searching for a user to share a file with in OneDrive for Business or SharePoint, seeing the contact card of a user in Teams, etc.).
While you can restrict member users’ default permissions and disallow them from reading other user’s profiles, this will often cause unexpected and issues with many Microsoft services, and it is generally not recommended.
Best Practice is to Stick with least privilege permissions to the users:
Here is the document for restricting the member users’ default permissions:https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#restrict-member-users-default-permissions